Home > Administrators, BI Platform > Fixing Permissions: Am I Allowed To Do That?

Fixing Permissions: Am I Allowed To Do That?

One of my least favorite topics is licensing.

It seems like every year as corporate strategies change and as customers push for simplified licensing, SAP comes out with a new way to sell it’s products.  If you’ve been around a while you’ll recognize some of these:

  • BusinessObjects Enterprise
  • BusinessObjects Enterprise with Interactive Viewing
  • BusinessObjects Enteprise Premium
  • BusinessObjects Edge
  • BusinessObjects Edge Premium
  • Premium Package, Visualization & Reporting
  • Premium Package, Query Reporting & Analysis
  • BI Package
  • BI Suite

What I’m not going to do is explain how SAP licenses it’s products.  That’s what the sales guy is for.

What I do want to explain is how the functionality within the licensing model breaks down and how it impacts you as the BusinessObjects administrator.

Licensed User Type

With BusinessObjects, licensing was pretty straight-forward.  You could either buy:

  • CPUs – unlimited active users running on a limited number of cpus (cores typically counted as 1/2).
  • Named users – one license per named system user on unlimited hardware.
  • Concurrent users – a delightful combination of unlimited users set up on unlimited hardware, but only a given number of those users could log in simultaneously.  (This license went away for a while and now it’s back for specific situations.  Typically customers can figure on 10:1 rate of potential users to concurrent users).

When SAP acquired BusinessObjects all that changed.  SAP introduced the idea of licensing both the ‘platform’ as well as the user count.

SAP customers who use BusinessObjects must purchase licenses for the platform (cpu or named users) as well as a named user license for every person who accesses the BusinessObjects environment.  The only problem is that there is typically a big difference between the capabilities a power user/administrator needs and a casual user who only accesses the system occasionally.

In order to provide try and keep licensing simple, while at the same time providing a differentiation between power users and casual users, SAP created the concept of a licensed user type.

There are two:

  1. Expert users – also know as Business Expert or Business Analyst Users
  2. Standard users – also known as Business Information, BI Viewer or Viewer Users.

What Is My User Allowed To Do

I’ve created a table which breaks down the each product and explains what the user is able to do within that product.  Note that an expert user can do everything a standard user can, plus the additional items listed in the Expert User Rights column (which is the equivalent of ‘full access”).

SAP BusinessObjects Platform

Product Standard User Rights Expert User Rights
BI Platform Access platform services and view environment Modify BI Platform environment, security definition and make modifications. Access and administer (profiles, configuration) platform services.
Live Office View integration with Microsoft Office for viewing reports, dashboards Design and edit queries
BI Workspaces Customize, view personalized reports, dashboards
BI Widgets Customize, view personalized BI widgets Design, author, and create BI widgets
BI Launchpad Personalize your user profile
SAP BusinessObjects Integration  (Oracle, PeopleSoft, JD Edwards) View data from business applications in a report, analysis or dashboard (indirect access)

SAP BusinessObjects Tools

Product Standard User Rights Expert User Rights
Crystal Reports View (refresh and schedule) reports Schedule, author, edit, and update reports
WebIntelligence View (refresh, schedule, export, zoom, sort, search, filter, drill, apply basic formatting) a predefined report Schedule, author, edit, and update analyses and queries
Dashboard View (refresh and interact) dashboard models Schedule, author, edit, and update models
Analysis for OLAP Customize, view personalized BI widgets Design, author, and create BI widgets
Explorer View (search, view and navigate) data sets  Schedule, author, edit, and update Infospaces
BI Mobile View (refresh and interact) documents Author, edit and update analyses and queries
Note that this information can change at any time,
so always check with your SAP sales team to make
sure you understand the capabilities of each license type.

Controlling Access

As administrators, it’s very important to make sure standard users are not using functionality of the expert users.  The good news, bad news is that in most cases this type of user differentiation is a paper license and not controlled by the license key.  This is good because it means that as SAP’s licensing model changes, you don’t have to run out and get new license key or download a new service pack.  The bad news is, you need to setup BusinessObjects security so that standard users don’t accidently extend the reach of what they are licensed to do.

Setting restrictions based on the tables above is pretty straight-forward for most of the application permissions.  In most cases access should be set to “View” and that takes care of it.  The one except is WebIntelligence.

Controlling WebIntelligence

In order to be a standard user, you should explicitly deny specific permissions within the WebIntelligence application.  To access these permissions from the CMC home page, choose Applications.  From the list of available Applications, scroll down the list to Web Intelligence.

Select Web Intelligence and select Manage > Properties from the menu (or user the right-click menu).  Next choose User Security from the navigation pane.

Add a new Principal (if one is not already there) or highlight an existing principal user or group.  We want to Assign Security and restrict WebI access.  The default access right should be View.  We will then want to modify this by clicking the Advanced tab and selecting Add/Remove Rights.  From the left navigation pane, select Application > Web Intelligence.

Manage WebIntelligence Application Security - Scroll down to see ALL the permissions

We are now going to explicitly deny the following rights:

  • Desktop Interface – * all permissions *
  • Documents – enable creation
  • Documents – enable publish and manage content as web service
  • Interfaces – enable Rich Internet Application
  • Interfaces – enable web query panel
  • Query script – enable editing (SQL , MDX…)
  • Query script – enable viewing (SQL , MDX…)
  • Reporting – create and edit breaks
  • Reporting – create and edit conditional formatting rules
  • Reporting – create and edit input controls
  • Reporting – create and edit predefined calculations
  • Reporting – create formulas and variables
  • Reporting – insert and remove reports, tables, charts and cells

If you look under the permissions for WebIntelligence, you will now see the only permission you can modify on a per report basis is Edit Query, which no longer matters because here we’ve explicitly denied Query script – enable editing (SQL, MDX…) within the WebI application.

Once the changes are complete, you should be able to access existing WebIntelligence documents and see that a number of features are now disabled (grayed out).

Standard User Access WebIntelligence With Restricted Permissions

If you have additional questions about permissions and how they might have changed from older versions of BusinessObjects, you can access the information here:
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f0543a8d-9155-2f10-c5a7-8d15688a5faa&overridelayout=true

I hope this blog has been useful.  Please do NOT leave any comments below about licensing.  I won’t be able answer these.

What I did want to answer is any questions about the difference between the different user types and show you how to modify the security within BusinessObjects to make sure you are in compliance with your license agreement.  Hopefully it’s mission accomplished.

«Good BI»

  1. Vamsi Ch
    May 21st, 2012 at 18:41 | #1

    David,

    So if I am enabling Interactive Mode for WebI docs, so does it convert logically an existing “Standard users” to “Expert User” and would trigger licensing issues ?

    Vamsi Ch

    • David Taylor
      May 22nd, 2012 at 16:19 | #2

      The point of this blog post was to make sure that customers understand that they need to proactively limit the Interactive WebI capabilities if they do not have Expert user licenses for all the associated BusinessObjects users. If an SAP licensed customer is not restricting access to WebIntelligence by Standard Users, then this would be a license violation.

      Does that help?

  2. Vamsi Ch
    May 22nd, 2012 at 16:25 | #3

    Yes, thanks for clarification so based on number of available expert licenses, we have to limit WebI’s interactive access.

    Vamsi Ch

    • David Taylor
      May 22nd, 2012 at 16:27 | #4

      Yes. It’s the licensed customers responsibility.

  3. May 26th, 2012 at 21:35 | #5

    Yes, they don’t help themselves regarding licensing – KISS – keep it simple stupid

    BO is an excellent product but their licensing strategy results in my experience that it doesn’t get fully utilised on a big scale and it’s benefits are not fully realised in the business community – there more choice in the market at a much lower cost that is more easy to sell to the business community or put it this way, the business convince themselves that it’s best for them with costs being easy to understand

    • David Taylor
      May 29th, 2012 at 02:12 | #6

      I wish our licensing was a lot simpler but as products mature and the market changes, you have to adjust your licenses to fit that model. If you are looking for BusinessObjects as a less expensive offering as an SME, I would recommend taking a long look at SAP BusinessObjects Edge. It’s all the functionality the big boys get for a reduced price… the only limitation is scalability.

  4. venu
    March 15th, 2013 at 15:22 | #7

    We are in SAP BO BI 4.0, SP04 with 4 CPU based entreprise licenses. We already have security setup, below is setup related to Analysis workbooks.
    1) All users should be able to save their own Analysis workbooks to BO LaunchPad. They should not be able to edit (make alterations to and save) other people’s workbooks.
    2) Super users should be able to edit other people’s workbooks.

    Please provide your suggestion of how to set this up in BO.
    Regardsm
    Venu

  5. David Taylor
    June 4th, 2013 at 21:33 | #8

    Venu – sorry for the late reply. I suggest that you give technical support a call and ask them which permissions you need to deny. I try to share everything I can but in the end, I will defer to SAP’s support team.

  6. Andy McFarlane
    August 22nd, 2013 at 13:33 | #9

    Hi David – excellent article, thanks very much! I see that you restrict Webi permissions through the Applications section of the CMC. Would another way of doing it be to leave the Application settings alone and create a custom Access Level for each license type that you would apply to a folder for a given user group? This might make more sense if an organisation has two user groups per report folder, a Creator group and a Viewer group. What do you think? There are also general rights, specific rights and global rights per application – what is the difference? Thanks 🙂

  7. Kumar
    January 31st, 2014 at 20:26 | #10

    Hi David,

    Thanks for sharing useful information on security.

    We have requirement to exclude Administrator account from User restrictions.
    Ex:Must contain at least N characters.

    can we achieve this in BO4.1

    Thanks,
    Kumar

    • February 18th, 2014 at 13:19 | #11

      It should be possible to temporarily ‘change’ this option – modify the administrator password – and then reactivate the “must contain at least N characters’ requirement. Certainly you can do it manually as the administrator, but it may also be possible via the SDK.

  8. Chris Everhart
    September 15th, 2014 at 17:26 | #12

    David, thanks for your extremely informative breakdown of permissions. We are preparing to on-board a large number of users who will only consume WebI reports and will not be building or modifying any of them. Applying the permissions you recommended, I found that our test subject would receive the error “Your security profile does not include permission to edit this document” when changing selected values in an input control. Explicitly granting “Reporting – enable formatting” eliminates this problem, but also re-enables the Design option. Do you have any better recommendations for getting input controls to work correctly?

  9. Andrew Mcfarlane
    October 1st, 2014 at 13:33 | #13

    Chris, in my view, you’re best to enable the ‘reporting – enable formatting’ right, but to disable Design mode through going to users and groups in the CMC, right clicking on the group required > Customisation > Features tab. We have used customisation to successfully get round a raft of frustrating rights issues. For instance, we have set of ‘Standard’ users; we don’t want them to be able to create reports or edit the query of existing reports, but we do want them to be able to load an Explorer space or perform a drill. All those options require at least the right called ‘create and edit universe query’. So, we had to enable that right, but then block off access to the New Document button (in Webi) and to the Edit button (in Design Mode).

  10. October 24th, 2014 at 06:36 | #14

    Just desire to say your article is as astonishing.
    The clearness in your post is simply nice and i could assume you are an expert on this subject.
    Well with your permission allow me to grab your RSS feed to keep updated with forthcoming post.

    Thanks a million and please carry on the rewarding work.

  11. Neal Gosz
    December 8th, 2014 at 16:53 | #15

    David,

    Thanks for this. Good information as I’m trying to re-hash my knowledge in the CMC. I do have a question – in the menu bar, the “New” option is grayed out when trying to select starting a new document. Do I enable that in the Security Settings or by user?

    Thanks

  12. Pari
    April 14th, 2015 at 07:22 | #16

    Hi David,

    Thanks for sharing your knowledge.

    I have a question about granting modification rights to business super users.

    In our project, a few business users should have modification rights on reports in BO.

    As BI developers and according to best practices, we develop reports in Dev and promote them to Prod via LCM but what if just a few business users should also have modification rights?

    I know one approach is asking them to save reports in their favorites but I’d like to know about other best practice approaches. Shall we grant them rights in Dev and schedule promotions to move their changes to Prod? Is it a good idea to give them access to Dev server? Or shall we grant rights to Prod server and move their changes from Prod to Dev to make sure that the servers are kept in sync??

    (on BO 4.1 SP4)

    Thanks in advance

  1. No trackbacks yet.